Support ldap anonymous binding

We can support this simply by allowing ldap-user and ldap-password configuration options to be optional. Closes-Bug: #1762587 Co-authored-by: Vern Hart <vern.hart@canonical.com> Change-Id: I2668d90a58aac9d103240dc67061612358a67150
2022-06-22 14:19:20 +09:30 · 2022-06-22 14:19:20 +09:30 · cb7fdb3527
parent c712bf74ee
commit cb7fdb3527
5 changed files with 11 additions and 8 deletions
--- a/src/README.md
+++ b/src/README.md
@ -73,7 +73,8 @@ A file-based configuration can be added post-deploy in this way:
 #### `ldap-password`

 The `ldap-password` option supplies the password associated with the LDAP user
-(given by option `ldap-user`).
+(given by option `ldap-user`). For anonymous binding, leave ldap-password and
+ldap-user blank.

 #### `ldap-server`

@ -117,7 +118,8 @@ The `ldap-suffix` option states the LDAP server suffix to be used by Keystone.
 #### `ldap-user`

 The `ldap-user` option states the username (Distinguished Name) used to bind to
-the LDAP server (given by option `ldap-server`).
+the LDAP server (given by option `ldap-server`). For anonymous binding, leave
+ldap-user and ldap-password blank.

 # Deployment

--- a/src/config.yaml
+++ b/src/config.yaml
@ -26,12 +26,15 @@ options:
    default:
    description: |
      Username (Distinguished Name) used to bind to LDAP identity server.
-      .
+      For anonymous binding, leave ldap-user and ldap-password empty.
+
      Example: cn=admin,dc=test,dc=com
  ldap-password:
    type: string
    default:
-    description: Password of the LDAP identity server.
+    description: |
+      Password of the LDAP identity server.
+      For anonymous binding, leave ldap-user and ldap-password empty.
  ldap-suffix:
    type: string
    default:
--- a/src/lib/charm/openstack/keystone_ldap.py
+++ b/src/lib/charm/openstack/keystone_ldap.py
@ -133,8 +133,6 @@ class KeystoneLDAPCharm(charms_openstack.charm.OpenStackCharm):
        """
        required_config = {
            'ldap_server': hookenv.config('ldap-server'),
-            'ldap_user': hookenv.config('ldap-user'),
-            'ldap_password': hookenv.config('ldap-password'),
            'ldap_suffix': hookenv.config('ldap-suffix'),
        }

--- a/src/templates/keystone.conf
+++ b/src/templates/keystone.conf
@ -1,7 +1,9 @@
 [ldap]
 url = {{ options.ldap_server }}
+{% if options.ldap_user and options.ldap_password -%}
 user = {{ options.ldap_user }}
 password = {{ options.ldap_password }}
+{% endif -%}
 suffix = {{ options.ldap_suffix }}

 user_allow_create = {{ not options.ldap_readonly }}
--- a/unit_tests/test_lib_charm_openstack_keystone_ldap.py
+++ b/unit_tests/test_lib_charm_openstack_keystone_ldap.py
@ -32,8 +32,6 @@ class TestKeystoneLDAPCharm(Helper):
    def test_required_configuration(self, config):
        reply = {
            'ldap-server': 'myserver',
-            'ldap-user': 'myusername',
-            'ldap-password': 'mypassword',
            'ldap-suffix': 'suffix'
        }